rpms/selinux-policy/F-9 policy-20071130.patch,1.210,1.211
Daniel J Walsh
dwalsh at fedoraproject.org
Fri Sep 19 14:26:24 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv16138
Modified Files:
policy-20071130.patch
Log Message:
* Tue Sep 18 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-92
- Dontaudit attempts to write user_tmp_t by gssd_t
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/policy-20071130.patch,v
retrieving revision 1.210
retrieving revision 1.211
diff -u -r1.210 -r1.211
--- policy-20071130.patch 19 Sep 2008 13:54:21 -0000 1.210
+++ policy-20071130.patch 19 Sep 2008 14:26:23 -0000 1.211
@@ -11163,7 +11163,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.3.1/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-09-19 09:53:01.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-09-19 10:06:13.000000000 -0400
@@ -20,6 +20,8 @@
# Declarations
#
@@ -11609,18 +11609,15 @@
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -626,8 +760,10 @@
- corenet_udp_sendrecv_all_ports(httpd_suexec_t)
- corenet_tcp_connect_all_ports(httpd_suexec_t)
+@@ -628,6 +762,7 @@
corenet_sendrecv_all_client_packets(httpd_suexec_t)
-+ sysnet_dns_name_resolve(httpd_suexec_t)
')
+domain_entry_file(httpd_sys_script_t,httpd_sys_content_t)
tunable_policy(`httpd_enable_cgi && httpd_unified',`
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
')
-@@ -638,6 +774,12 @@
+@@ -638,6 +773,12 @@
fs_exec_nfs_files(httpd_suexec_t)
')
@@ -11633,7 +11630,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -655,10 +797,6 @@
+@@ -655,10 +796,6 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -11644,7 +11641,7 @@
########################################
#
# Apache system script local policy
-@@ -668,7 +806,8 @@
+@@ -668,7 +805,8 @@
dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -11654,7 +11651,7 @@
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
-@@ -682,15 +821,45 @@
+@@ -682,15 +820,46 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@@ -11679,6 +11676,8 @@
+ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_sys_script_t self:udp_socket create_socket_perms;
+
++ corenet_tcp_bind_all_nodes(httpd_sys_script_t)
++ corenet_udp_bind_all_nodes(httpd_sys_script_t)
+ corenet_all_recvfrom_unlabeled(httpd_sys_script_t)
+ corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+ corenet_tcp_sendrecv_all_if(httpd_sys_script_t)
@@ -11689,7 +11688,6 @@
+ corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
+ corenet_tcp_connect_all_ports(httpd_sys_script_t)
+ corenet_sendrecv_all_client_packets(httpd_sys_script_t)
-+ sysnet_dns_name_resolve(httpd_sys_script_t)
+')
+
+
@@ -23239,7 +23237,7 @@
+/var/spool/postfix/postgrey(/.*)? gen_context(system_u:object_r:postgrey_spool_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.if serefpolicy-3.3.1/policy/modules/services/postgrey.if
--- nsaserefpolicy/policy/modules/services/postgrey.if 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/postgrey.if 2008-09-08 11:45:12.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/postgrey.if 2008-09-19 10:23:53.000000000 -0400
@@ -12,10 +12,82 @@
#
interface(`postgrey_stream_connect',`
@@ -23249,8 +23247,9 @@
')
allow $1 postgrey_t:unix_stream_socket connectto;
- allow $1 postgrey_var_run_t:sock_file write;
-+ allow $1 postgrey_spool_t:sock_file write;
+- allow $1 postgrey_var_run_t:sock_file write;
++ write_sock_files_pattern($1, postgrey_var_run_t, postgrey_var_run_t)
++ write_sock_files_pattern($1, postgrey_spool_t, postgrey_spool_t)
files_search_pids($1)
')
+
@@ -23764,7 +23763,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.3.1/policy/modules/services/prelude.te
--- nsaserefpolicy/policy/modules/services/prelude.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/prelude.te 2008-09-19 09:41:26.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/prelude.te 2008-09-19 10:06:47.000000000 -0400
@@ -0,0 +1,260 @@
+
+policy_module(prelude, 1.0.0)
@@ -23998,7 +23997,7 @@
+')
+
+optional_policy(`
-+ apache_search_sys_content(httpd_lml_t)
++ apache_search_sys_content(prelude_lml_t)
+ apache_read_log(prelude_lml_t)
+')
+
@@ -36006,7 +36005,7 @@
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.3.1/policy/modules/system/sysnetwork.if
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/sysnetwork.if 2008-09-08 11:45:13.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/sysnetwork.if 2008-09-19 10:05:27.000000000 -0400
@@ -145,6 +145,25 @@
########################################
More information about the fedora-extras-commits
mailing list